1 / 29

Chapter 17

Chapter 17. Human Resources Security. Security Awareness, Training, and Education.

adanne
Download Presentation

Chapter 17

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 17 Human Resources Security

  2. Security Awareness, Training, and Education The topic of security awareness, training, and education is mentioned prominently in a number of standards and standards-related documents, including ISO 27002 ( Code of Practice for Information Security Management ) and NIST Special Publication 800-100 ( Information Security Handbook: A Guide for Managers ).

  3. Benefits to Organizations

  4. Human Factors

  5. Learning Continuum

  6. Table 17.1Comparative Framework

  7. Awareness • seeks to inform and focus an employee's attention on security issues within the organization • aware of their responsibilities for maintaining security and the restrictions on their actions • users understand the importance of security for the well-being of the organization • promote enthusiasm and management buy-in • program must be tailored to the needs of the organization and target audience • must continually promote the security message to employees in a variety of ways • should provide a security awareness policy document to all employees

  8. NIST SP 800-100 ( Information Security Handbook: A Guide for Managers ) describes the content of awareness programs, in general terms, as follows: “Awareness tools are used to promote information security and inform users of threats and vulnerabilities that impact their division or department and personal work environment by explaining the what but not the how of security, and communicating what is and what is not allowed. Awareness not only communicates information security policies and procedures that need to be followed, but also provides the foundation for any sanctions and disciplinary actions imposed for noncompliance. Awareness is used to explain the rules of behavior for using an agency’s information systems and information and establishes a level of expectation on the acceptable use of the information and information systems.”

  9. Training

  10. Education • most in depth program • targeted at security professionals whose jobs require expertise in security • fits into employee career development category • often provided by outside sources • college courses • specialized training programs

  11. Employment Practices and Policies • managing personnel with potential access is an essential part of information security • employee involvement: • unwittingly aid in the commission of a violation by failing to follow proper procedures • forgetting security considerations • not realizing that they are creating a vulnerability • knowingly violate controls or procedures

  12. Security in the Hiring Process • objective: • “to ensure that employees, contractors and third party users understand their responsibilities, and are suitable for the roles they are considered for, and to reduce the risk of theft, fraud or misuse of facilities” • need appropriate background checks and screening • investigate accuracy of details • for highly sensitive positions: • have an investigation agency do a background check • criminal record and credit check

  13. Employment Agreements • employees should agree to and sign the terms and conditions of their employment contract, which should include: • employee and organizational responsibilities for information security • a confidentiality and non-disclosure agreement • reference to the organization's security policy • acknowledgement that the employee has reviewed and agrees to abide by the policy

  14. During Employment • objectives with respect to current employees: • ensure that employees, contractors, and third-party users are aware of information security threats and concerns and their responsibilities and liabilities with regard to information security • are equipped to support the organizational security policy in their work • reduce the risk of human error • two essential elements of personnel security during employment are: • a comprehensive security policy document • an ongoing awareness and training program • security principles: • least privilege • separation of duties • limited reliance on key employees

  15. Termination of Employment • termination security objectives: • ensure employees, contractors, and third party users exit organization or change employment in an orderly manner • the return of all equipment and the removal of all access rights are completed

  16. Email and Internet Use Policies • organizations are incorporating specific e-mail and Internet use policies into their security policy document • concerns for employers: • work time consumed in non-work-related activities • computer and communications resources may be consumed, compromising the mission that the IS resources are designed to support • risk of importing malware • possibility of harm, harassment, inappropriate online conduct

  17. Suggested Policies

  18. Security Incident Response • response procedures to incidents are an essential control for most organizations • procedures need to reflect possible consequences of an incident on the organization and allow for a suitable response • developing procedures in advance can help avoid panic • benefits of having incident response capability: • systematic incident response • quicker recovery to minimize loss, theft, disruption of service • use information gained during incident handling to better prepare for future incidents • dealing properly with legal issues that may arise during incidents

  19. Computer Security Incident Response Team (CSIRT)

  20. Security Incident

  21. Security Incident Terminology

  22. Detecting Incidents • incidents may be detected by users or administration staff • staff should be encouraged to make reports of system malfunctions or anomalous behaviors • automated tools • system integrity verification tools • log analysis tools • network and host intrusion detection systems (IDS) • intrusion prevention systems

  23. Triage Function • goal: • ensure that all information destined for the incident handling service is channeled through a single focal point • commonly achieved by advertising the triage function as the single point of contact for the whole incident handling service • responds to incoming information by: • requesting additional information in order to categorize the incident • notifying the various parts of the enterprise or constituency about the vulnerability and shares information about how to fix or mitigate the vulnerability • identifies the incident as either new or part of an ongoing incident and passes this information on to the incident handling response function

  24. Responding to Incidents • must have documented procedures to respond to incidents • procedures should:

  25. Incident Handling Life Cycle

  26. Documenting Incidents • should immediately follow a response to an incident • identify what vulnerability led to its occurrence • how this might be addressed to prevent the incident in the future • details of the incident and the response taken • impact on the organization’s systems and their risk profile

  27. Table 17.3Examples of Possible Information Flow To and From the Incident Handling Service

  28. Summary • security awareness, training, education • motivation • learning continuum • awareness • training • education • employment practices and policies • security in hiring process • security during employment • security at termination of employment • e-mail and Internet use policies • motivation • policy issues • guidelines for developing • computer security incident response teams • detecting incidents • triage function • responding to incidents • documenting incidents • information flow for incident handling

More Related